Google extends bug bounties to YouTube, Blogger

Google has announced plans to extend its existing Chrome browser bounty program to cover "web properties which display or manage highly sensitive authenticated users data or accounts", such as Google, YouTube, Blogger and Orkut, Google's security team said in a blog post.

Researchers are encouraged to look for bugs that affect the "confidentiality or integrity" of user information, such as cross-site scripting, cross-site request forgery and authorisation bypass vulnerabilities, the post said.

"Please, only ever target your own account or a test account," the security team wrote. "Never attempt to access anyone else's data. Do not engage in any activity that bombards Google services with large numbers of requests or large volumes of data."

The base prize is US$500, but each find could be worth up to US$3,133.70, depending on the severity of the flaw. Google may match the reward if winners want to donate it to charity. To qualify, disclosures must be privately reported to Google, but researchers are encouraged to post details of their discovery after Google has fixed the issue.

The company's client applications, such as Android, Picasa and Desktop, are currently not covered under the program.

Google is a leading industry proponent of bug disclosures that benefit both the finder and the vulnerable vendor. In July, the company said software makers should fix "critical" vulnerabilities within two months, and researchers should demand a patch deadline for any flaw they submit.

"Accordingly, we believe that responsible disclosure is a two-way street," Google researchers and engineers wrote at the time. "Vendors, as well as researchers, must act responsibly. Serious bugs should be fixed within a reasonable timescale. Whilst every bug is unique, we would suggest that 60 days is a reasonable upper bound for a genuinely critical issue in widely deployed software."

See original article on scmagazineus.com